A few days ago I played around with some of my virtual machines and encountered an issue when attempting to remove a Windows Server 2008 R2 Server Core machine from a domain. Because both the core machine and the Domain Controller (DC) machine were virtual machines, when I reverted the DC back to a previous snapshot, the core machine could no longer access resources on the DC, and I couldn’t log on to the machine by using the domain admin user account.

This is the error I got while attempting to log on by using a domain user account:

“The security database on the server does not have a computer account for this workstation trust relationship.”

To fix this, I tried to remove the server core machine from the domain. In core, this can be done in one of 2 ways:

By using SCONFIG

By using NETDOM

Since SCONFIG is easier, I used it. I typed SCONFIG in the Command Prompt window, and when SCONFIG opened, I pressed on the “1” key.

I then attempted to remove the machine from the domain in order to later re-join it.

I entered the right local credentials:

But no matter what I did, I got an error:

“Failed to join domain.”

(Actually, I tried to get out of a domain, but no matter…)

So I tried using NETDOM. In the Command Prompt window I typed the following command:

And then it hit me. The error I got when attempting to log on by using a domain user account had a clue in it. There was no computer account for the server core machine in Active Directory Users and Computers!

So I went to the DC, opened the Active Directory Users and Computers snap-in, and bingo, indeed the computer account was missing.

I created the server core computer account by clicking on the “Computers” container > New > Computer.

I created the new computer object with a name that matches the name of the server core machine.

Attempting to leave the domain again resulted with a success, and I was asked to reboot the machine.

Back in Active Directory Users and Computers, the computer account’s object was disabled.

It’s worth noting that I only encountered this specific issue on server core machines, and while it’s possible that it could happen in GUI-based operating systems such as Windows XP/Vista/7 etc., these will usually let you complete the action even if the computer account was missing.

MEMBER LOGIN:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

About the Contributor

Daniel Petri is a world-known IT professional, technical trainer and creator of one of the world’s largest IT knowledge bases – www.petri.com. Daniel consults to leading global Fortune 1000 companies in Microsoft IT Infrastructure and Engineering strategies.

For his contribution to the IT Pro community Daniel has received the Microsoft Most Valuable Professional (MVP) award for the 14th time. Daniel’s professional certifications include Microsoft Certified Technology Specialist, Microsoft Certified Systems Engineer, Microsoft Certified System Administrator and Microsoft Certified Trainer.

While working for Microsoft, Daniel serves as a Senior Premier Field Engineer (PFE) specializing in Windows Server OS and Active Directory.
Daniel now works for ObserveIT, makers of the Insider Threat Detection software, where he holds the role of Senior Solutions Architect, where he manages large deployment projects and partner and customer training programs.

In his spare time, Daniel rides a 1200cc 2015 model Ducati Multistrada 1200S bike and manages the Israeli Bikers forum.